It has been recognised that due to the constant changes and growth in the use of technology, our laws are struggling to keep up and issues related to data misuse are occurring too often.
In reaction to this, the European Union (EU) has taken new steps in developing laws that aim to keep up with these changes and protect its citizens. From 25th May 2018, a new regulation is being rollout across the EU called General Data Protection Regulation (GDPR), forcing companies to increase their security measures and giving its citizens higher levels of protection and many new rights.
Over the past few months, we have seen a growing amount of confusion amongst IT leaders and therefore assumptions being made, on the impact of GDPR. In this blog, we aim to expose the top 6 headlines we have heard and explain what GDPR really means.
1. ‘GDPR is an IT issue’
This is simply not the case. Even though the belief that data privacy is largely an IT matter, this view is short sighted. IT departments play a critical role in managing data privacy and are key supporters within companies on their journey to become GDPR compliant, using technology to safeguard data. However, many aspects of GDPR are data usage, data quality and business processes related – these impact the business and require business driven changes. We all play a key role within data protection and it is everyone’s responsibility to be GDPR compliant; at the end of the day technology has its limitations.
2. ‘My business is based outside the EU, so GDPR does not affect us’
This is true in SOME circumstances. If your company has no employees, businesses or offices in the EU, and you have no dealing with companies or clients within the EU, you are not affected by GDPR. If, however, your company trades with anyone within the EU, you must comply with GDPR. Even though this is an EU regulation, you should see this as a global policy due to the ripple effect it has. If we take the provision of cloud technology as an example, the data can be stored in multiple locations around the world for an EU citizen/user, the provider will need to comply with GDPR.
3. ‘Brexit is happening, so we do not need to prepare for GDPR’
This is not the case. The UK must comply with GDPR. The regulation will be implemented before the UK leaves the EU. Also, the majority of companies in the UK will, in one way or another, be dealing with EU citizens.
4. ‘My data is hosted by a third party, therefore I have outsourced the GDPR responsibility’
Businesses using 3rd parties for their data hosting still need to ensure that their providers and any other sub-contracts are GDPR compliant. Both data controllers and processors share responsibility for meeting GDPR requirements. You cannot outsource GDPR compliance – we all have a responsibility.
5. ‘We are old school in our processes and do not use technology for data storage or processing’
GDPR covers personal and sensitive data, whether it is stored in the cloud or in a filing cabinet as it looks at protecting the data from unauthorised or unlawful processing, destruction, damage or accidental loss. You must take any reasonable steps to ensure all data is safe and secure and GDPR compliant regardless of it’s storage media.
6. ‘My existing database only consists of backup and archived data therefore it is not affect by GDPR’
Any data, archived or backed up is still classed as processed data and therefore its storage needs to be GDPR compliant.
GDPR is a journey that a company will need embark on, it is not a tick box exercise!
GDPR comes into effect from 25th May 2018 – everyone needs to be prepared for it. Non-compliance could cost a company up to €20 million or 4% of the company’s global annual turnover (from the previous financial year), whichever is higher as well as causing significant brand damage.
Given the timeframes, you really should by now have GDPR compliance work underway and as a high priority, if you need assistance in commencing, structuring or delivering this then please contact us as Coeus can help.
To keep up to date with Coeus Consulting blog posts, follow us on LinkedIn (Coeus Consulting Limited) or Twitter at @CoeusITAdvisory.